Cisco Systems on Friday released a security advisory about its VPN 3000 Series concentrators, which have a vulnerability that could allow a malicious user to send a crafted HTTP packet that could result in a denial-of-service attack.
Cisco has made free software available to address the vulnerability for affected customers, and has provided workarounds. The HTTP used for this type of Web-based management interface is activated by default on the VPN 3000 concentrators, but Cisco recommends disabling it to mitigate the vulnerability. With HTTP disabled, the concentrator can be configured to use HTTPS (HyperText Transfer Protocol Secure). HTTPS must be enabled before disabling HTTP.
VPN 3000 concentrators running version 4.7.0 through 4.7.2.A of the equipment's software are affected by this vulnerability. Prior software is safe.
Such vulnerabilities in Cisco VPN equipment have been discovered before, but customers should always make sure they are up to date on the latest patches and workarounds, said Tom Duffy, president and CEO of igxglobal, a Rock Hill Conn.- based network security solution provider.
“They should check their systems anytime a patch is issued," Duffy said.
To help customers with these types of vulnerabilities, igxglobal sends out a daily security brief that alerts them to the potential risk and what to do to patch their systems, Duffy said. However, not all customers pay attention to these warnings, he added.
"It's a challenge for us sometimes with companies that put their head in the sand," Duffy said.